Thursday, September 3, 2020

Zoom’s Security Nightmare Just Got Worse: But Here’s the Reality by Kate O'Flaherty



“Zoom’s security nightmare just got worse after its recent announcement that end-to-end encryption would be for paid users only. But here’s the reality. Let’s face it—there aren’t many people who haven’t used Zoom over the past few months during the COVID-19 crisis.

“It’s no surprise that Zoom’s seen such a massive a surge in users, but with this rise, the video chat app has also become a target for Zoom bombersprivacy issues have come to the foreground, and security researchers have unveiled some pretty serious vulnerabilities.

“During this time, Zoom has become a bit like marmite: You either love it as it’s a great feature-rich service that is clearly trying to improve under huge strain—or you hate it because you think its security faults are intentional and unfixable. ‘Zoom is malware,’ some security industry experts say.

“It’s fair to say this situation has been a nightmare for Zoom. It’s come under pressure to stop Zoom bombers—a recent incident saw a church’s bible class hijacked by uninvited guests sharing child pornography—and now people are seriously angry after CEO Eric Yuan confirmed on its earnings call that end-to-end encryption will be for paid users only.

“At first, this sounds insane. Why make the gold standard of encryption—which means no one can access your meetings or chats, even Zoom or law enforcement—only available to those who pay? Why can people get this for free on Apple’s FaceTime, and Signal, but not on Zoom?

Delving deeper into Zoom’s end-to-end encryption decision

“But actually, if you delve deeper, Zoom’s reasoning behind this is clearer. First, you lose a lot of functionality if you make Zoom end-to-end encrypted. There are no more dial ins to calls, so you can’t join by phone, and you also lose features like cloud recordings and streaming to YouTube.

“Plus, remember that Zoom’s main competitors don’t have end-to-end encryption: Microsoft Teams, Blue Jeans, Google Meet, Cisco Webex (although Webex has e2e for some enterprise users too).

“Then there’s the big issue—Zoom bombing. This affliction affects other services such as Houseparty, but none have become a target for this as much as Zoom. Zoom bombing incidents are also pretty high profile; they don’t make Zoom look good and law enforcement is often involved, especially when it comes to child exploitation.

“The video conferencing service has tried to stop Zoom bombing through some major security upgrades and its ‘Report a User’ feature, but allowing criminals such as those sharing abusive images to further hide on the platform is just not feasible.

“As former Facebook CSO and now Zoom consultant Alex Stamos took to Twitter to explain on a thread: ‘Zoom is dealing with some serious safety issues. This creates a difficult balancing act for Zoom, which is trying to both improve the privacy guarantees it can provide while reducing the human impact of the abuse of its product.’

Here’s the reality

“Another defender of Zoom’s decision to only offer end-to-end encryption to paid users is Ben Thompson, analyst and author of business blog Stratechery, which provides a good explanation of the Zoom earnings call comments. Yuan doesn’t want paid users to pay for end-to-end encryption; he thinks it should be available for everyone, but the platform’s functionality will also be killed by it. It’s a trade-off. In fact, it seems that much of Zoom’s earnings call end-to-end encryption discussion has been misinterpreted as ‘Zoom wants to share your chats with the FBI.’

“So, here’s the reality: Zoom has a PR problem that began as security and privacy issues hit during lockdown and as it tries to pick up the pieces, it’s in danger of getting stuck in a nightmare it can’t escape. After a brief stay, the end-to-end encryption debate has brought out the Zoom haters once again. How Zoom reacts now is crucial—the firm needs to be clearer in explaining what it’s doing and why, or people’s trust will be eroded even more” (Forbes).


In response to this article, Zoom sent me a statement which reads:

“Zoom has engaged with child safety advocates, civil liberties organizations, encryption experts, and law enforcement to incorporate their feedback into our plan. Finding the perfect balance is challenging. We always strive to do the right thing.”


1 comment:

  1. Zoom security tips:

    Join Zoom meetings through your web browser rather than using the Zoom desktop software. The web browser version gets security enhancements faster.

    "The web version sits in a sandbox in the browser and doesn’t have the permissions an installed app has, limiting the amount of harm it can potentially cause," notes information-security company Kaspersky.

    When you click a link to join a meeting, your browser will open a new tab and prompt you to use or install the Zoom desktop software. But in the fine print, there's a link to "join from your browser." Click that instead.

    If you are hosting a Zoom meeting, ask that meeting participants sign in with a password. That will make Zoom-bombing much less likely.

    Zoom creates a huge "attack surface" and hackers are going to come at it every way they can. They've already registered lots of Zoom-related phony domains and are developing Zoom-themed malware.

    The upside is that if lots of flaws in Zoom are found and fixed right away, then Zoom will be the better -- and safer -- for it.

    "Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."

    https://www.tomsguide.com/news/zoom-security-privacy-woes


    ReplyDelete

Note: Only a member of this blog may post a comment.